A security engineer needs to implement a solution to increase the security posture of user endpoints by providing more visibility and control over local administrator accounts. The endpoint security team is overwhelmed with alerts and wants a solution that has minimal operational burdens. Additionally, the solution must maintain a positive user experience after implementation.
Which of the following is the BEST solution to meet these objectives?
The best solution is to implement Privileged Access Management (PAM), remove users from the local administrators group, and prompt users for explicit approval when elevated privileges are required. This approach effectively increases the security posture by limiting access to administrative privileges and provides more visibility and control over elevated actions. It minimizes operational burden by centralizing the management of privileged access through PAM while allowing users to gain necessary access efficiently, thereby maintaining a positive user experience.
Never keep users in the local administrator's group. Security 101!!! Administrative functions need to be separate, preferably enterprise managed with PKI, and require prompts. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
prompt users for explicit approval when elevated privileges are required.
I go for B: as the main objective is "increase the security posture of user endpoints by...". If the endusers are not happy all the time, that's secondary in my mind.
I'm with you. Overall, the best solution to meet the objectives listed above is to implement PAM and remove users from the local administrators group. This will provide more visibility and control over privileged accounts and access, reduce the risk of privilege escalation attacks, and maintain a positive user experience after implementation.
my reason for choosing C are 1 it says the security team is overwhelmed possibly by detecting and responding to alerts which EDR will take care of. 2 enabling privilege escallation monitoring does provides "minimum operational burden and positive user experience after implementation" the end user doesnt have to change how they have been working. Your choice B introduces further passwords when user wants escalate privilege and also the security team still has to respond to alerts that could have been detected and blocked by EDR
I am in agreement with B
Have to remove users from admin group, and need to prompt to input the admin right everytime users need to install any applications.
agreed.
The question asks [providing more visibility and control over local administrator accounts] not visibility and control over endpoint therefore EDR is not the proper choice here. Only PAM manage privileged users and safeguard against abuse
"minimal operational burdens" as in if you disable all of your local account administrators you will have no management of your network. Also, asks for monitoring and *visibility*. Definitely choice A.
B will result into more operational burden bcos u have to always approve etc...that's overhead and it would affect experience. However, if "Additionally, the solution must maintain a positive user experience after implementation." is not there the correct answer will be B. So Answer is A
lol you don't want users to be in local admin groups. so remove them from it and make sure they are prompted for priv esc task
I think B is correct
This option allows accounts to elevate their privileges (increases security posture) and that these actions will be audited (increases visibility)
A is correct
Increases Security Posture: By removing users from the local admin group and managing elevated privileges through PAM. Provides Visibility and Control: PAM provides robust management and monitoring of privileged access. Minimizes Operational Burden: PAM reduces the number of alerts compared to EDR and focuses on managing privileged access. Maintains Positive User Experience: Prompting users for explicit approval for elevated privileges is a user-friendly approach that ensures necessary access without compromising security.
I would choose A because: -Maintains user experience by keeping users in the local administrators group. -Provides visibility and control over local administrator accounts through PAM. -Reduces operational burdens by using PAM to streamline and centralize the management of elevated privileges. You don't wanna change the user experience even it is the security best practice. Read the question carefully.
I feel as though it's A due to the first half of the question. However, it then states: "a solution that has minimal operational burdens. Additionally, the solution must maintain a positive user experience after implementation." Removing rights and forcing people to seek approval explicit approval does neither of those things. Keeping an eye on their account however should keep everything running smoothly
I see many people choosing B. While implementing PAM and enabling local administrator account monitoring can certainly increase the security posture of user endpoints, keeping users in the local administrators group can actually increase the risk of privilege abuse. Local administrator accounts have full control over the endpoint and can make changes that could potentially compromise security. By keeping users in the local administrators group, the risk of privilege abuse is increased and the endpoint security team may still be overwhelmed with alerts. the answer is A
You gave an explanation as to why the answer is B, not A
A says keep users in administrator group.